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BEMARKS/ARGUMENTS 

Claims 1-10 and 12-21 were pending. Claims 1-10 and 12-21 were variously 
rejected under 35 USC 1 03(a) in light of Yatsukawa in view of Baskey and in view of Chang or 
Arthan. 

The undersigned accepts the Exanunei's suggested title for the patent application. 

L THE PRESENT INVENTION 

Embodiments of the present invention relate to secure computer network access. 

As discussed previously, with embodiments of the present invention, a user doeq 
not need to have a hardware or software '^token" to gain network access. Instead, the user only 
needs to have an authentic public/private key pair. In the embodiment illustrated in Figs. 4A-D, 
the user enters a correct password into a key wallet to retrieve their private key and digital 
certificate (steps 400-470). 

In the various embodiments^ the client then requests a one-time password from an 
external server, step 490. In response, the extemal server provides the one-time password, which 
is inactive back to the client, steps 500-530. Accordingly, if any one intercqpts the one-time 
password at this stage, and attempts to gain access to the system, because the one-time password 
is inactive, the access will be demed. Further, because the one-time password is Initially 
determined, and provided ia the challenge, the one-time password should be inactive. ' 
Oflierwise, a cli^t who receives the challenge will be able to gain access to the network using 
the one-time password, even though she may be uxiauthorized 

Notice that before steps 500-530, the client does not have the one-time password. 
These embodiments allow the one-time password to be freely set, to be different for different 
users, and to be di^erent for multiple user sessions, and the like. Additionally, these 
embodiments do not require the user to have any token hardware, to pre-register their cli^ 
system, or to pre-register user data, as discussed above. 
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Next, in various embodiments the client uses the received one-time password and 
digitally signs it with the private key to form a digital data packet (a digital signature), step 540. 
The digital signature and the user's digital certificate are then seait back to the external server, 
step 560. Accordingly, data from the external server is signed and then r^umed to the external 
server. 

Subsequently, if the digital signature and digital certificate aulbenticate the user, 
the one-time password is activated, and the client may use the one-time password to access the 
protected computer network. Steps 570-690, In various embodiments, if the user is not 
authenticated and the client attempts to use the onetime password to access Hie network, the 
access will be denied. Accordingly, the one-time password in the challenge to the client should 
be inactive until the user is authenticated. 

Obtain limitations in the disclosed embodiments ate recited in the claims. For 
example, among other limitations, claim 15, which was un-amended recites: means for forming a 
digital signature in response to the network password received from the verification s^er and to 
the private key; means for communicating the digital certificate and the digital signature to the 
authentication server; and means for receiving a challenge fiom a verification server via a first 
secure communications channel, the challenge comprising at least a network password that is 
inactive . 

n. THE CITED REFERENCES 
A. Yatsukawa 

Yatsukawa relates to an authentication system where seed values DsO used to 
authenticate a user are initially synchronized. 

In Yatsukawa, the client / user sets an initial "seed data" DsO for authentication 
purposes in the client and the server, Cols. 15, line 66 - CoL 16, line 12, From DsO, Dn-1 are 
subsequently independently generated on a client and a server. In operation, Yatsukawa 
describes that the client logs into a server, col. 16, lines 46-52, Next, the server sends an 
authentication-data request, col. 16, lines 54-55. Then, the client generates authentication data D 
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by enciphering the seed data DsO by the clietit private key K, and then D is sent back to the 
server, col. 16, lines 57-60. The server then deciphers the antitienticatioa data D using the client 
public key K to recover the client seed data. Col 17, lines 1-14. Nex^ the server compares the 
recovered client seed data to the initial seed data previously provided by the user, DsO. Col. 17, 
lines 14-17. As illustrated in Fig. 13, block S5,ifthe recovered client seed data matches DsO, 
access is granted. 

Chang 

Chang relates to a token caching security system. 

Chang states that one method of reducing remote access security risks is through 
the use of a "Smart card or Token card.*' Col. 2, lines 11-13, One such card is disclosed as "the 
SecurlD card commercially available from Security Dynamics, Inc.," Col. 2^ lines 13-14. Chang 
states that the function of the Token card is that it "generates a series of random one-time 
passwords (OTPs). Col 2, lines 15-16. 

Chang describes that the Token card is used by the user. Specifically, Omg 

states; 

To use the Token card, the user typically enters a series of digits and 
letters displayed on the token-card in the prompt window or inserts the 
card into a reader that is coupled to the Remote Node. Col 2, lines 25-28, 
Emphasis added. 

The series of digits and letters provided by the user is the one time passwoxd 
(OTP). This user^entered OTP is then compared to an OTP independently generated in a 
password server. Specifically, Chang states: 

The password server internally generates OTPs in synch with the card, 
the OTP is then used to verify that the user is allowed to log into the 
network access server through the remote device by comparing the 
card password to the password server's password at a particular instant 
in time. Col 2, lines 28-34, Emphasis added. 
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As can be seen, in Chang, the OTP generated by the password server is not ever 
provided to ttie user. Instead, ;Qie usg jirovides the OTP generated by the Token card to the 
password server. 

Chang notes that use of Token cards by users to gen^te OTPs is burdensome. 
More specifically, Chang states; 

HoM^ever, a drawback with using OTPs is thai additional connections ... 
are treated as separate connections. Thus, to establish a second session 
... the user is required to reenter valid user identification information a 
second time. Because the OTP is only valid ''once'\ the user must again 
use the token card to obtain another OTP that can be used to validate the 
second connection. Col 2, lines 55-60. 

In response, the invention in Chang appears to be a way to reduce having the user 
use the Token card to enter OTPs for each user session. Col. 3, lines 13-1 7. 

In Chang, initially, the user uses a Token card to generate an OTP and ±sa the 
user provides the OTP to a authenticating server. Specifically, Chang states: 

The method comprises the steps of receiving a request to establish a 
session between the client and the first server, wherein the request 
includes identification information f or authenticating a requesting user. 
Col. 3, lines 25-29. Emphasis added. 

Chang also states that the identification information includes the OTP. 

Specifically: 

One feature of this aspect is thai the identification information includes a 
user name and a one-time password (OTPl col, 3, lines 33-37. Emphasis 
added. 

In response to the user request^ an authentication step is pcxfonned. If the user is 
authenticated, the identity information is cached Specifically, 
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determining, based on the identification information, whether the session 
between the client and the first server should be established, if the session 
between the client and the first server should be established, caching the 
identification information in memory; and establishing the session 
between the client and the first server. Col 3, lines 29-34. Emphasis 
added. 

Chang notes that a second server may bo used to determine whether the session 
should be established. Specifically, 

[JJhe step of determining whether the session between the client and the 
first server should be established comprises the step of the first server 
communicating with a second server to determine whether the OTP is 
currently valid Col 5. lines 37-4L 

Additionally, Chang notes that the second server checks whether the identification 
information is cached therein. Specifically, 

[CJommunicating with a second server to determine whether the OTP is 
currently valid further includes the steps of the second server determining 
whether the usemame and the OTP were previously cached in memory; 
\^ and if the user-name and the OTP were not previously cached in memory, 

the second server communicating with a password server to determine 
whether the OTP is currently valid. Col 3, lines 37-41. 

If the identification information is cached, the cached identification information is 
checked to sec if it is still valid. Specifically, 

[CJommunicating with asecond server to determine whether the OTP is currently 
valid fiirther comprises the step of the second server determining whether the usemame and the 
OTP were previously cached in memory; and if the user-name and the OTP were previously 
cached in memory, determining whether the usemame and the OTP ore still valid. Col 3, lines 
52-58. 
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This embodiment is repeated in the Detailed Description, on Col. 4, lines 3 1-67, 
etc. ImportanUy, on Col. 6, lines 42-47, Chang describes that in block 302 of Fig. 3A, the user 
provides a request to establish a session^ and the request includes the usemame and OTP. In 
TABLE 1, Col. 8, lines 24-32, Chang gives an example, where liie user "JOE" submits the 
request and enters a "us©niame="JOE"," "CHAP password ="ABCD"," and "OTP "1234" 
(from hand-held card)." 

TABLBl 



^1 71u» <UlbU>juro 4Mi£>oEM«d vvith 

AAA 11 tiapfi^^arod to aUow 
r6S5»a «9C>^ for war )QS. 
User Wcntfficitinn Infoniulioa 
for J0& 2b 60sfiguTo4 tp eTcpIio 
30 baud im ioi^n eoopim^oii ^ 

GAcbci t£m«-oa( vmt of "(SO". 
ACHAP paflswoid oC -"ABOr 

0 wtJOB^uMteaftnttcqiTftBfc la tMs ds&oqple, thA AAA servfif 
^ to c$tiitiiitih M Sx^ pwica by cwfent^ lutf no eaiAod 

copying tloNAS with tbd inf^imfite ft)r ufief JOB. 

f^lbwsigiiiiDnnatleni Tlu^ <b« AAA eomnuml- ' 

u8enpm**''J0B" catea vfSth a tokon to 

arP-^''lW(ftoBiJi««^hiM WiEyt^ OTP •0234''. no' 

C(u<) AAAsecvez»]so vAlidAMtthe 

3P OTAp^«ABCcr caAP|jMswort''Aaay. 

1 JOE mjtbcTtfuates Avt^ticfiCtoiL i9 ftwc«fitfiiL 
MCMsfftiPy, He AAA a«vi« ^ita b ite 

<nrd»r (ho mfisune *^ZOSr 

AAA mrvoK Ateo goom^s 

Next, on Col. 6, lines 48-SO, Chang describes that in block 304 of Fig. 3A, the 
AAA senrer determines whether the session should be established based on the **U5er 
identification information" received from the user. In TABLE 1, CoL 8, lines 24-31, Chang 
gives an example, where the AAA server communicated wltb a token server to verify OTP 
"1234" and validates CHAP password "ABCD." 

C. Baskey 

Baskey was previously discussed as relating to an SSL proxy server, and being 
silent regarding an authentication protocol. 
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m. THE CITED HEEBRENCES DISTINGUISHED 
A. Claim IS 

The elements of Claim 1 5 are not disclosed, suggested, or taught by Yatsukawa in 
view of BasJcey or Chang. More specifically the cited refbrences faU to disclose means for 
receiving a challenge from a verification server via a first secure commimications channel, ^e 
challenge comnrisfng at le astAnetwork password that is inactive. The undersigned points out 
that the underlined claim language was not entered by amendment, but was a limitation found in 
claim IS of the original patent application, and was a limitation found in claim IS the first of&Qe 
action response. Accordingly, this limitation is not new. 

As discussed above, Yatsukawa is a form of "token-ba$ed'' authentication where 
the client determines the authentication-data inspection data. Importantly, in Yatsukawa, the 
challenge firom the verification server to the client system does not include ^*a network password 
that is inactive,** as is recited above. In Yatsukawa, the cUent must ahreadv have seed data in 
memory, and must be presyncbronized with the server. 

Additionally, Baskey is silent as to this limitation, as Baskey simply relates to 
SSL connections. 

As discussed above, the user in Chang uses a Token card in her possession to 
obtain a one time password (OTP). A network password is not received ftom the verification 
server. Further, in Chang, the OTP that is independently determined in the authentication server 
is not initially inactive. As illustrated above, when the OTP Sram the Token card and the user 
simply matches the OTP indqpendently determined in the AAA server, the user session is 
initiated. The password determiiied in the server is not Inactive and then activated in Chang. 
Instead, once determined, the OTP is always active. Similarly, in Yatsukawa, DsO determined in 
the server is not inactive and then activated, but, once determined, is always active. 

The references also fail to disclose means for forming a digital signature in 
response to the network password received firom the verification server and to the private key, 
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and tneans for Gozmnunicating the digital certificate and the digital signature to ths authentication 
server. 

This limitation is totally missing from Chang. Additionally, Yatsukawa, at best 
describes digitally signing seed data already present on the client In contrast, the digital 
signature is claimed to be determined in response to the network password that was received 
from the verification server. 

Accordingly, because these cited references fail to disclose at least the above 
recited limitations, claim IS is patentable. 

B. Remaining Claims 

Claims 1 and S, are believed to be allowable for at least the same reasons as those 
given above for claim IS, and more particularly, for the specific limitations they recite. The 
Examiner is directed to examine the exact wording of each of these claims. 

Claims 2-7, which depend &om claim 1 are believed to be allowable for at least 
the same reasons given above, and more particularly, for the specific limitations fhsy recite, thus 
the pending rejections are traversed The Examiner is directed to examine the exact wording of 
each of these claims. 

Claims 9-10 and 12-13 which depend from claim 8 are believed to be allowable 
for at least the same reasons given above, and more particularly, for the specific limitations they 
recite, thus the pending rejections are traversed. The Examine is directed to examine the exact 
wording of each of these claims. 

Claims 1 6-20, which depend fixjm claim 15 are believed to be allowable for at 
least the same reasons given above, and more particularly, for die specific limitations they recite, 
The Examiner is directed to examine tie exact wording of each of these claims. 
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CONCLUSION 

In view of the foregoing, Applicants believe all claims now pending in this 
Application are in condition for allowance and an action to ^t end is respectfully requested. 

If the Examiner believes a telephone conference would expedite prosecution of 
this ^lication^ please telephone the undersigned at 650-326-2400. 



Respectfully submitted, 




Stephen Y, Pang 
Reg. No. 38,575 



TOWNSEND and TOWNSEND and CREW LLP 

Two Embarcadero Center, Eighth Floor 

San Francisco, California 941 11-3834 

Tel: (650) 326-2400 

Fax: (650) 326-2422 

SYP:deh 

60512611 v1 



Paffel6ofl6 

PAGE 21/21 * RCVD AT 9/1 9/20W 6:57:08 PM [Eastem Daylight fmie] ' SVR:USPTO«EFXRF-6i25 * DN1S:27383(«) * CSID:6503262422 ' DURATION (innKS):06^fl 



